• Vulnerable U
  • Posts
  • I tried Vibe Hunting (AI assisted Threat Hunting)

I tried Vibe Hunting (AI assisted Threat Hunting)

Author

Matt Johansen
November 13, 2025

Sponsored by Nebulock. I only do these when I can actually kick the tires and share real notes.

I hopped on a call with my buddies Damien and Christine from Nebulock to see what they’re launching this week: Vibe Hunting - an AI-assisted threat hunting platform aimed at teams who don’t have a staffed hunt program (read: most of you).

TL;DR

  • I spent an hour with Nebulock to try Vibe Hunting, their AI-assisted hunting platform.

  • What it does: Natural-language hunts → step-by-step reasoning → findings you can act on → optional Sigma rule → backtest + synthetic attack sim.

  • Why I care: Most teams don’t have dedicated threat hunters or detection engineers. Closing that loop matters.

  • Best bits: Behavior-based focus, transparent agent “thinking,” Mac-friendly Sigma, backtesting in minutes.

  • Try it here. [Link]

What “Vibe Hunting” actually means

Threat hunting is a skill, not a tool. It generally requires elite humans, custom workflows, and a graveyard of Jira tickets to turn into detections. Nebulock’s spin: use agents to generate hunt hypotheses, pull raw telemetry from the tools you already run, and help you detect behavior - not just look for IOCs.

I tried it live

You land on Hunts and get three hypotheses tiles every day. You can also paste a blog/URL or just type English:

I dropped Google’s Scattered Spider piece and clicked “Create hunt suggestions.”

The agent explained its plan (nice touch, less blackbox AI agent feel) and offered options like “hunt for recon + sus MFA events.”

Love being able speak naturally instead of syntax

While that ran, I opened another hunt. You can multi-thread hunts so you don’t sit and wait.

My favorite find from the proactive “Findings” feed:

Suspicious PowerShell execution masquerading as Splunk in non-standard directories (Temp), parented by Splunk-named processes.

That’s the kind of behavioral weirdness I want surfaced without me writing SPL/KQL at 1am.

From any hunt result you can click Create Detection. It generated a Sigma rule (they’ve standardized on Sigma. Major +1 from me on that), defaulted to macOS since my org context said I’m a Mac shop, and then let me retro-hunt it across existing data.

You can even queue a Simulated Attack. Nebulock spins a VM, uses your new rule as context, fires an offensive agent to produce telemetry, and checks whether your detection actually triggers. Unit test + prod backtest in one loop.

That “write Sigma → retro-hunt → synthetic attack” loop is the closest thing I’ve seen to democratizing detection engineering without… detection engineers.

Key Takeaways From Me

Most teams aren’t threat hunting. They can’t. They’re busy with whatever their tooling is screaming at them. Reacting. They’re drowning in triage. What Nebulock helps with is lowering the skill and time bars in hunting and giving you a fleet of AI agents to seek, find, and do. You don’t just open a ticket for the detection pile. You generate a finding, turn it into a detection, and immediately pressure-test it with a retro-hunt and synthetic attack.

It also leans into behavior over hashes. A lot of intel and hunt tools I see out there are just IOC streams. Left onn your own to build the mechanisms to actually make use of it, and you’re missing a ton of attacker behavior. The platform assumes adversaries are living off the land and blending into your SaaS and IAM exhaust. That’s the right bias in 2025. IOC sweeps still have a place, but they won’t surface the a ton. Behavior-based hunts will.

Another point I appreciated: Mac isn’t treated like a second-class citizen. A lot of tools still act like Windows is the only operating system that matters. I’ve worked in a ton of shops that are thousands of Macbooks and hundreds of SaaS tools, neither of which have a great “enterprise” security story.

Finally, the agenting feels explainable. The UI narrates what it’s doing and why, which is gold for two reasons: juniors get a tutorial every time they run a hunt, and seniors can actually trust the outcome because they can see the reasoning, not just a black-box answer.

Improvements I flagged (they were cool about it)

A few spots could use tightening. Some outputs run long, so I asked for a punchier TL;DR at the top of those results. This was particularly evident to me while watching the agent think. I found myself wanting for a “Hey this is the spicy thing we found” highlight.

After one particularly gnarly finding during my Scattered Spider hunt. I was given a ton of options of how to follow up but really just wanted to hit a “ok this is obviously bad and I’m owned, go find me everything about this” button. Yes, I can ask for it in plain English, but a dedicated button would be clutch.

I’m excited to see this evolve in capability beyond EDR and their current signals integrations. Hunt is only as strong as the signals you’re hunting through.

When you try it

Start simple:

  • Paste a high-signal intel post (Google/Mandiant/CISA).

  • Click a hypothesis, run it, and read the agent’s plan.

  • Turn one finding into a Sigma rule.

  • Retro-hunt it and queue a sim.

  • If you’re Mac-first, pay attention to how it treats macOS behavior.

I’ll probably do a video later, but for now: this was a solid first session and the democratizing Threat Hunting + attack sim + Sigma loop is a major unlock.

Try Nebulock Vibe Hunting (just launched). - Here

Sponsored by Nebulock. Opinions are mine, and I gave them feedback live while testing.